Websense® Security Labs™ has seen a new zero-day exploit for Internet Explorer (CVE-2013-3897) used in highly targeted, low-volume attacks in Korea, Hong Kong, and the United States, as early as September 18th, 2013. The publication of the vulnerability details (CVE-2013-3897) were shared by Microsoft in advance of today's patch for the vulnerability that is now available for download. Websense ThreatSeeker® Intelligence Cloud was able to correlate those attacks and create a profile about targeted geographical locations where attacks began as well as targeted industries, which will be described later in this post. In addition, we found the targeted attacks that utilized the exploit for CVE-2013-3897 also included older exploits in their attacks like CVE-2012-4792 for certain targets.

Executive Summary

Websense ThreatSeeker Intelligence Cloud has seen a new zero-day exploit for Internet Explorer (CVE-2013-3897) used in highly targeted, low-volume attacks in Korea, Hong Kong, and the United States, as early as September 18th, 2013.

Websense telemetry indicates that the attack campaign using the same infrastructure and the exploit (CVE-2012-4792) began as early as August 23rd 2013 before transitioning to CVE-2013-3897 in mid-September

A patch has been supplied by Microsoft and is available for download.

Microsoft took this opportunity to patch a previous vulnerability for Internet Explorer CVE-2013-3893. The patch for both vulnerabilities can be found at this link: ms13-080.

Our telemetry shows that the actors behind these attacks used their infrastructure to launch older exploits for Internet Explorer, such as CVE-2012-4792, which was first seen at the start of 2013.

Websense has protected our customers from the recent Microsoft Internet Explorer CVE-2013-3897 and CVE-2013-3893 exploits observed in the wild by using real-time analytics that have been in place for nearly three years.

Vulnerability Details for CVE-2013-3897

The vulnerability is caused by a "use-after-free" error when processing "CDisplayPointer" objects within mshtml.dll and generically triggered by the “onpropertychange” event handler; the vulnerability could be exploited remotely by attackers to compromise a system via a malicious web page. The specific exploit that has been seen uses heap-spray to allocate some memory that employs an ROP technique around the 0x14141414 address (as confirmed by the Microsoft Security Response Center).

A sample of one of the specific exploit pages that has been spotted in the wild shows Javascript code that appears to target Microsoft Windows XP 32-bit with these languages: Japanese or Korean and Internet Explorer 8.

The attacks were served by directly browsing to raw IP addresses and were spotted served by selected IP addresses in the network range of 1.234.31.x/24, which is geolocated in the Republic of Korea. The attack lure pages (starting point of the exploit chain) on that network range share the same URL patterns and they all consist of the URL structure <x.x.x.x>/mii/guy2.html.

We also spotted that a URL with that same structure on the same network range was used to serve an older and disclosed exploit for Internet Explorer CVE-2012-4792 also in a low-volume and targeted way. Those attacks were launched at the end of August this year. Here is a snippet of the page located at hxxp://1.234.31.142/mii/guy2.html. In the case of CVE-2012-4792 in this campaign, it looks like there were no conditional checks for the operating system, browser, and language prior to serving the exploit, which means it was served to the target unconditionally.

Telemetry

Looking at the broader picture and taking into account all the related attacks that we've seen served from the IP range 1.234.31.x/24, we found some interesting information that can shed more light on the high-level agenda held by the perpetrators in this campaign. The next pie chart shows the different industries that we saw being targeted with this campaign in the last month. The chart reveals that the interest of the perpetrators in this case is broad as they aim to compromise different type of industries that aren't necessarily related to each other:

Another interesting find is that this attack campaign is global; although, as described earlier, attack pages check whether the operating system's language is either Japanese or Korean before issuing the CVE-2013-3897 exploit. It looks like the geolocation of targeted entities of Korean or Japanese origin are not just limited and based in those countries. For example, one entity that belongs to the Engineering and Construction industry has been targeted in the U.S. as one of its locations. In addition, as mentioned before, those who use CVE-2012-4792 didn't employ any conditional checks before issuing the exploit, so that meant the potential targets in that case could be more varied. Indeed, we found that with this campaign, a government entity located in the U.S. was targeted with CVE-2012-4792.The next pie chart shows the popularity of the different targeted geographical locations of this campaign:

Exploit Locations vs. Targets

Websense telemetry indicates that the CVE-2013-3897 exploit has been hosted on servers in Seoul, South Korea at IP addresses 1.234.31.153, 1.234.31.142 and 1.234.31.154. We have seen this exploit targeting computers located in the United States, Hong Kong, and Seoul, South Korea.

Summary

In this blog, we've taken a look at a targeted attack campaign that has been in circulation for the past month. It appears that the perpetrators behind this campaign target entities that belong to different industries over a selected set of geolocations, which reaffirms the notion that these kinds of campaigns operate on a global scale and focus on a variety of industries that are not necessarily related. The perpetrators behind these campaigns are innovative and employ zero-day exploit code, but it also appears that their work is customized for their targets since we witnessed older exploits that have already been patched being used in selected attacks.

Update 10/10/2013 - Websense Researchers have confirmed that the attacks seen from this threat actor beginning August 23rd, 2013 were utilizing the CVE-2012-4792 exploit. The first observed use of CVE-2013-3897 as part of this campaign was on September 18th, 2013.